CVE-2024-53387
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2024-53387 is a DOM Clobbering vulnerability in umeditor v1.2.3, a web-based rich text editor component. The flaw enables attackers to execute arbitrary code by supplying a crafted HTML element that manipulates the Document Object Model (DOM). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-79 (Improper Neutralization of Input During Web Page Generation, commonly known as cross-site scripting).
Attackers can exploit this vulnerability remotely without authentication privileges, provided a user interacts with the malicious content, such as by loading or rendering a page containing the crafted HTML in an affected umeditor instance. Successful exploitation grants arbitrary code execution in the victim's browser context, resulting in high impacts to confidentiality, integrity, and availability, such as data theft, session hijacking, or further malware delivery.
Mitigation details and proof-of-concept are available in the referenced GitHub Gist at https://gist.github.com/jackfromeast/d52c506113f33b8871d0e647411df894, published alongside the CVE disclosure on 2025-03-03.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables arbitrary JavaScript execution in browser via DOM Clobbering/XSS, directly mapping to client-side exploitation (T1203) and JavaScript interpreter abuse (T1059.007).